Ninja Forms File Upload Is Being Actively Exploited Right Now
Strangers could be uploading malicious files to your WordPress site at this very moment — and you wouldn't know until something breaks, or someone tells you.
On 6 April 2026, Wordfence publicly disclosed a critical vulnerability in Ninja Forms – File Upload, a plugin installed on an estimated 50,000 WordPress sites. Attackers aren't waiting around. According to Wordfence's disclosure, this flaw is already being actively exploited in the wild.
What Exactly Is Happening
The vulnerability is classed as an Arbitrary File Upload flaw. Plain English: it lets someone who isn't logged in — no account, no password, nothing — upload any file they like to your server. Including PHP backdoors.
A PHP backdoor is a hidden script that gives an attacker ongoing access to your site, even after you've changed your password or patched the plugin. They plant it once. They can come back whenever they like.
This is about as bad as it gets.
Wordfence confirmed the vulnerability on 6 April 2026 and notes that attackers are actively exploiting it — meaning this isn't a theoretical risk sitting in a researcher's lab report. It's being used right now, against real sites.
Are You Affected?
If you have the Ninja Forms – File Upload plugin installed on your WordPress site, you need to check this today. Not this week. Today.
The plugin has around 50,000 active installations, according to Wordfence's figures. That's a significant slice of sites, and given how many WordPress setups run Ninja Forms for contact and lead capture forms, there's a real chance this is sitting on a client site you manage.
Do you know offhand which plugins are active on every site you look after? Most people don't. Which is exactly why this kind of exploit spreads so quickly.
What to Do Right Now
1. Check if the plugin is installed. Log into your WordPress dashboard, go to Plugins, and search for "Ninja Forms File Upload." If it's there, note the version number.
2. Update immediately. Check the plugin's page for a patched version. If an update is available, apply it now — don't queue it for your next maintenance window.
3. Check your uploads folder. If you have server access, look at your /wp-content/uploads directory for any .php files. PHP files have no business being in your uploads folder. If you find any, your site may already be compromised.
4. Scan your site. Wordfence (the free version is fine for this) can scan for known malware and suspicious files. Run a full scan.
5. If you think you've been hit, don't just patch and move on. A patched plugin doesn't remove a backdoor that's already been planted. You'll need a proper malware cleanup — or call in someone who knows what they're doing.
What's Still Unclear
Wordfence's weekly vulnerability report for the week of 6–12 April 2026 covers the broader picture, but at time of writing we couldn't confirm the specific patched version number from the source material. Check the plugin's official WordPress.org page directly for the latest version — and verify the changelog mentions this fix explicitly.
We also can't confirm how many sites have already been compromised. Wordfence says attacks are active. The scale isn't yet public.
Can Uptrue Detect This?
Honestly, not directly. Uptrue monitors your site for downtime, slow response times, and SSL certificate issues — it's not a malware scanner. But here's the thing: a compromised site often behaves differently. Pages slow down. The server starts doing unexpected things. Response times spike. Uptrue would flag those symptoms.
It won't tell you why your site is slow at 3am on a Tuesday. But it will tell you something is wrong before your client rings at 9am.
If you're not monitoring your WordPress sites yet, Uptrue is worth setting up. Takes about two minutes per site. You can track uptime and response health from the Uptrue tracker.
FAQ
What is the Ninja Forms File Upload vulnerability? It's a critical security flaw disclosed on 6 April 2026 that allows anyone — without logging in — to upload malicious files, including PHP backdoors, to a vulnerable WordPress site.
How many sites are affected by this vulnerability? Ninja Forms – File Upload has an estimated 50,000 active installations, according to Wordfence.
Is my site already hacked? If you have the plugin installed and haven't patched it, your site may have been targeted. Check your /wp-content/uploads folder for any .php files and run a malware scan immediately.
Does updating the plugin fix a site that's already been compromised? No. Patching stops new attacks, but any backdoor already uploaded to your server remains active. You need a full malware scan and cleanup if you suspect compromise.
How do I know which version of the plugin is patched? Check the plugin's changelog on the official WordPress.org plugin page. Look for a release that specifically references this file upload security fix.